All Cybercrime IP Feeds by FireHOL

This site analyses all available security IP Feeds, mainly related to on-line attacks, on-line service abuse, malwares, botnets, command and control servers and other cybercrime activities.
 
Scroll down! The main menu is several pages long...
 

Discuss about this site!

Overview of firehol_level1

namefirehol_level1
categoryattacks
maintainerFireHOL
IP familyipv4
ipset hashhash:net
ipset entries3094 min: 1888 max: 3095
unique IPs613 260 800 min: 612 173 824 max: 613 286 144
source(not a url)
local copydownload local copy
changesetsgithub commit log
check
frequency
1 minute
average update
frequency
14 hours and 17 minutes
aggregationnone
fetch errorsnone
monitoring sinceFri Jun 19 2015 09:26:23 GMT+0200 (czas środkowoeuropejski letni)
(3284 days, 4 hours and 20 minutes ago)
last time
updated
by its maintainers
Sat Jun 15 2024 10:55:02 GMT+0200 (czas środkowoeuropejski letni)
(2 hours and 52 minutes ago)
last time
processed
by us
Sat Jun 15 2024 11:13:11 GMT+0200 (czas środkowoeuropejski letni)
(2 hours and 34 minutes ago)
last time
we checked
Sat Jun 15 2024 11:13:11 GMT+0200 (czas środkowoeuropejski letni)
(2 hours and 34 minutes ago)

About firehol_level1

This IP list is a composition of other IP lists.

The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs.

The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions.

To accomplish this, we include the following IP lists:
  • fullbogons includes IPs that should not be routable in the Internet. It includes bogons which lists private and reserved IPs, but it also includes IPs that are allocated to a local registry, but they are not currently assinged to any one, ISP, corporation, or end user.

    fullbogons should be 100% safe, it should never include a false positive and should never give you a complaint from an end user or customer. Of course it needs to be up to date.
  • According to Spamhaus, DROP and EDROP are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The spamhaus_drop and spamhaus_edrop lists are designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.

    The spamhaus_drop list will not include any IP address space under the control of any legitimate network - even if being used by "the spammers from hell".

    spamhaus_edrop is an extension of the spamhaus_drop list that includes suballocated netblocks controlled by spammers or cyber criminals. spamhaus_edrop is meant to be used in addition to the direct allocations on the spamhaus_drop list.

    When implemented at a network or ISP's 'core routers', spamhaus_drop and spamhaus_edrop will help protect the network from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks.

    Spamhaus strongly encourages the use of spamhaus_drop and spamhaus_edrop by tier-1s and backbones.

    In my personal experience, Spamhaus is very responsive cleaning up these lists when it receives complaints.
  • dshield summarizes the top 20 attacking class C (/24) subnets over the last three days. This sounds like many false positives are included. They are not, and this is why:

    dshield.org, or better The Internet Storm Center of SANS Institute, collects firewall and IDS logs from hundreds of thousands of computers around the globe. You can submit yours too! The dshield IP list includes only the top 20 class-C, i.e. it always lists 5120 IPs only. The rate of change of these top 20 class-C is so high, that most of them are listed for just 15 mins. Check it. Goto to the dshield page and take a look on the second chart (the "changes history" chart). Out of the 5120 IPs listed, about 3000 of them expire on every update.

    To visualize it even better, check the dshield_1d list. This one aggregates all IPs listed by dshield, for 24 hours. Check its unique IPs count. 60k to 120k unique IPs pass through dshield every day.

    So, if it has a so aggressive change rate, is it usefull at all? The whole idea of dshield is to follow the storm as close as possible. And they are doing a great job accoplishing it.
  • There are several malware lists that are very focused. They only track IPs that are actively used by specific malwares or trojans. These lists are usualy very small and they even reach zero IP count if the malware is vanished.

    We include most the Abuse.ch and Bambenek Consulting lists. Namely: These lists do suffer from some false positives, but not for dynamic IP users. The only false positives I ever found on these malware lists was on hosting providers that share the same IP among many sites. If a site is hosting a malware or trojan monitored by these lists, then the IP of that site and therefore all the other sites that share the same IP will be blocked.
firehol_level1 is updated automatically every time any of its IP lists is updated. If you use FireHOL's update-ipsets.sh, you can just enable it and it will be composed directly from the individual lists, on your computer. Otherwise, you can download it from github.

I would love to hear any comments for this list. So please, let me know if you have any.

Evolution of firehol_level1

Each time the IP list is changed, modified, or updated we keep track of its size (both number of entries and number of unique IPs matched). Using this information we can detect what the list maintainers do, get an idea of the list trend and its maintainers habbits.

Using the chart below we attempt to answer these questions:

  • If you are going to use this IP list as a blocklist / blacklist at a firewall, its size can be important for the performance of the firewall.
    Keep in mind that the performance of Linux netfilter / iptables firewalls that use ipsets (like FireHOL does), is not affected by the size of an ipset. Any number of entries can be added and the firewall will just do one lookup for every packet checked against the ipset. Linux ipsets are affected only by the number of different subnets in an ipset. FireHOL solves this by automatically reducing the number of unique subnets on all hash:net ipsets (check this article for more information on how this is done).
  • The number of unique IPs matched by an IP list, determines the effectiveness of the blacklist / blocklist.
    Generally, smaller IP lists are more focused and safer to use as firewall blacklists / blocklists. Fewer unique IPs means fewer possible false positives.
    On the other hand a very small list will not provide a significant level of protection.
  • We need IP lists that are well maintained, frequently and regularly.
    In the chart below, every point is updated only when the list maintainers add IPs to, or remove IPs from the IP list, so even if the number of unique IPs remains the same, a point in the chart indicates that something changed in it. The exact number of unique IPs added and removed with each update can be seen on the chart next to the one below.
    The frequency of updates is irrelevant to the retention policy of the IP list. We will examine its retention below in the sections below.
  • We don't want surprises. Sudden increases or decreases is generally an indication of poor maintainance.
    Of course, there are cases where an IP list will by definition have sudden changes in its size.

The chart below shows the last 500 updates, of the IP list.

  • Entries is the number of entries the ipset has.
  • UniqueIPs is the number of unique IPs the ipset matches.

Created with Highcharts 11.4.3Number of Unique IPsNumber of IPset EntriesChart context menufirehol_level1 Historyevolution of unique IPs and entriesUniqueIPsEntriesSep '23Nov '23Jan '24Mar '24May '240 IPs100000000 IPs200000000 IPs300000000 IPs400000000 IPs500000000 IPs600000000 IPs700000000 IPsHighcharts.com

The chart below shows the change history of the IP list, i.e. the number of unique IPs added and removed with each update.

Using the chart below we attempt to answer these questions:

  • There are IP lists that, although they have an almost constant size, they change their contents almost entirely on every update.
    In other cases, similar IP lists have minimal incremental updates.
    The following chart attempts to visualize this.

Created with Highcharts 11.4.3Number of Unique IPsChart context menufirehol_level1 Changes Historychanges history of unique IPsAddedIPsRemovedIPsSep '23Nov '23Jan '24Mar '24May '24-500000 IPs-250000 IPs0 IPs250000 IPs500000 IPs750000 IPs1000000 IPsHighcharts.com

Country Map of firehol_level1

Each time an ipset is updated we check it against the MaxMind GeoLite2 country, the IPDeny.com country, the IP2Location.com Lite country and the IPIP.net country databases, to find the list's unique IPs per country.

Using the maps below we attempt to answer these questions:

  • If you are going to install this IP list as a blocklist / blacklist at a firewall, it is important to know which countries will be mainly affected, since you are going to block access from/to these IPs.

    All lists suffer from false positives to some degree, so using this IP list at your firewall might block some of your users or customers.

  • Some lists focus only on specific regions of the world. The following map illustrates this. It is a heat map of the list's focus.

Created with Highcharts 11.4.3Chart context menufirehol_level1 Country Mapmapped with geolite2 geo-country DBZoom inZoom out110010k1M100MUnique IPsCopyright (c) 2024 Highsoft AS, Based on data from Natural EarthHighcharts.com © Natural Earth
 
Loading ipdeny map...
 
 
 
 
Loading ip2location map...
 
 
 
 
Loading ipip map...
 
 
 

Age of IPs listed in firehol_level1

The age of each IP in the list is shown below. The time shown is calculated in realtime; it will be refreshed as time passes, even if the list is not updated.

Using the chart below we attempt to answer these questions:

  • Most lists include IPs that match some criteria (e.g. an attack or abuse is detected originated from the IP in question). Once an IP is listed, it remains listed for a pre-defined amount of time, unless it matches the criteria again, in which case its expiration time is refreshed.

    Many lists announce the duration they list IPs. Many don't and almost all lists have exceptions that do not follow the announced rules.

    A false positive is in place when an IP that was properly detected and added to the list, was released and re-used by another person, before being unlisted from the list. Since the world is full of dynamic IP users, false positives is the biggest problem of blocklist / blacklists.

    In the chart below we show the exact age of the IPs currently listed. Small ages are good. Long ages are not necessarily bad. Normally, longer ages should only be a small part of the list's size.

    Pay attention to the 50% mark. This is the average age of the IPs in the list. Pay also attention to the 75% (most probable) and the 90% (expected max) marks.

  • The ideal age chart of a well maintained IP list should a straight line from the bottom left corner, to the upper right corner of the chart.

    Of course, this is affected by the pressure of different attacks and possibly the different listing policies for different types of attacks.

    In general though, this chart should be as granural as possible.

    Long horizontal lines indicate either sustaining attacks, or unreasonably high listing policies.

Created with Highcharts 11.4.3IPs age in hours% of IPs currently listedChart context menufirehol_level1 Age of IPsAge of 613 260 800 currently listed IPsmonitoring its age since Fri Jun 19 2015 09:26:23 GMT+0200 (czas środkowoeuropejski letni)IPs with age up to this hour (cumulative)IPs with age in this hour26447938141820422738368342594866548359676998825590621019011027115401205613057137631614718232200772260524791264302929131966332593837342509499430 %25 %50 %75 %100 %Highcharts.com

Retention Policy of firehol_level1

The retention policy of the list shows the duration IPs were listed, when they were listed. This is calculated every time the list maintainers remove an IP from the list. The chart below shows the retention policy detected, since we started monitoring the list (it is not limited to a certain timeframe).

Using the chart below we attempt to answer these questions:

  • This chart shows data for the past IPs, currently unlisted.
    The vertical parts of the "stair steps" in this chart, indicate periods of intensive IPs cleanup. This is their retention policy.
    If the chart contains more than one "stair steps", the list has many different retention policies.

Created with Highcharts 11.4.3IPs retention in hours% of past IPsChart context menufirehol_level1 Retention PolicyRetention of not currently listed IPsfor 181 067 759 IPs removed, 100.00 % of 181 067 759 IPs added since we startedmonitoring it (Fri Jun 19 2015 09:26:23 GMT+0200 (czas środkowoeuropejski letni))Retention of past IPs up to this hour (cumulative)Retention of past IPs for this hour< 12304606919231164143617612143253330593612427249645719669575248656955810872121101384815316167681863920528221602400626296293363165234412464000 %25 %50 %75 %100 %Highcharts.com

Overlaps of firehol_level1 with other IP lists

Using the chart below we attempt to answer these questions:

  • Check the column Their %. A high percentage in this column, indicates that the IP list of that row is included in firehol_level1.

  • Check the column This %. A high percentage in this column, indicates that firehol_level1 is included in the IP list of that row.

  • Focus on the last two columns: Their % and This %. These two percentages show the percentage of overlap this list has with other IP lists.

    Using the comparison table, we can easily find out that, for example, abuse is often initiated from anonymizing IPs (like open proxies) and malwares.

In the table below we compare firehol_level1 with all other lists. If a list is not shown in the following table, it does not have any common IPs with firehol_level1.
  • Unique IPs is the unique IPs each ipset has.
  • Common IPs is the number of unique IPs common to firehol_level1 and each ipset.
  • Their % the percentage: common IPs vs. the unique IPs of each row ipset.
  • This % is the percentage: common IPs vs. the unique IPs of firehol_level1 (having 613 260 800 unique IPs).
Loading, please wait...
List
Their %
This %
fullbogons100.00%97.32%
cidr_report_bogons98.35%96.66%
iblocklist_cidr_report_bogons98.35%96.66%
bogons100.00%96.65%
iblocklist_bogons84.28%88.74%
iblocklist_iana_reserved100.00%87.54%
iblocklist_fornonlancomputers100.00%49.25%
iblocklist_iana_multicast100.00%43.77%
iblocklist_iana_private100.00%8.42%
et_block99.97%2.66%
et_spamhaus100.00%2.66%
spamhaus_drop100.00%2.66%
iblocklist_spamhaus_drop87.50%2.47%
iblocklist_level22.43%1.34%
iblocklist_level33.34%0.75%
iblocklist_level10.40%0.47%
bbcan177_ms139.79%0.34%
firehol_level420.13%0.30%
iblocklist_hijacked21.23%0.30%
iblocklist_edu0.37%0.14%
spamhaus_edrop100.00%0.12%
sorbs_zombie34.58%0.11%
firehol_webserver0.14%0.01%
pushing_inertia_blocklist0.14%0.01%
sorbs_dul0.01%0.01%
firehol_anonymous1.97%0.00%
firehol_proxies1.98%0.00%
ip2proxy_px1lite2.00%0.00%
iblocklist_ads1.85%0.00%
iblocklist_isp_sprint0.25%0.00%
datacenters0.01%0.00%
firehol_level320.80%0.00%
dshield_30d56.52%0.00%
iblocklist_isp_att0.01%0.00%
dshield_7d70.97%0.00%
sorbs_web0.09%0.00%
firehol_level215.03%0.00%
dshield100.00%0.00%
dshield_1d90.91%0.00%
stopforumspam_365d0.89%0.00%
iblocklist_spyware1.21%0.00%
dronebl_irc_drones0.31%0.00%
dronebl_anonymizers0.23%0.00%
firehol_abusers_30d1.51%0.00%
stopforumspam_180d0.96%0.00%
stopforumspam_90d1.06%0.00%
stopforumspam1.06%0.00%
dronebl_worms_bots1.12%0.00%
et_dshield20.00%0.00%
stopforumspam_toxic0.85%0.00%
sorbs_recent_spam0.17%0.00%
blocklist_net_ua1.15%0.00%
darklist_de0.28%0.00%
lashback_ubl1.60%0.00%
stopforumspam_30d0.95%0.00%
php_dictionary_30d43.92%0.00%
dataplane_sshclient1.72%0.00%
cleantalk_30d1.40%0.00%
haley_ssh0.90%0.00%
blocklist_de1.26%0.00%
botscout_30d2.36%0.00%
php_commenters_30d26.95%0.00%
php_spammers_30d33.37%0.00%
voipbl0.40%0.00%
cleantalk_updated_30d1.28%0.00%
cleantalk_new_30d1.66%0.00%
iblocklist_pedophiles0.03%0.00%
stopforumspam_7d1.41%0.00%
turris_greylist2.60%0.00%
blocklist_de_ssh1.48%0.00%
dataplane_sshpwauth0.88%0.00%
greensnow3.22%0.00%
firehol_abusers_1d2.46%0.00%
cleantalk_7d1.60%0.00%
dronebl_ddos_drones2.03%0.00%
botscout_7d3.20%0.00%
blocklist_de_mail1.00%0.00%
sorbs_anonymizers0.02%0.00%
cleantalk_updated_7d1.74%0.00%
dronebl_compromised0.34%0.00%
php_dictionary_7d40.48%0.00%
dataplane_dnsrd2.49%0.00%
stopforumspam_1d2.51%0.00%
hphosts_emd0.17%0.00%
php_spammers_7d33.79%0.00%
php_commenters_7d27.19%0.00%
iblocklist_cruzit_web_attacks0.63%0.00%
sblam2.95%0.00%
coinbl_hosts0.85%0.00%
cruzit_web_attacks0.64%0.00%
blocklist_de_imap3.73%0.00%
dataplane_dnsversion2.16%0.00%
sorbs_new_spam0.21%0.00%
cybercrime4.26%0.00%
firehol_webclient3.09%0.00%
et_tor1.18%0.00%
dm_tor1.17%0.00%
blueliv_crimeserver_last_30d0.07%0.00%
blocklist_de_strongips15.75%0.00%
blueliv_crimeserver_last_7d0.08%0.00%
bds_atif5.15%0.00%
blueliv_crimeserver_last_2d0.08%0.00%
hphosts_psh0.12%0.00%
blueliv_crimeserver_recent0.08%0.00%
cleantalk_new_7d1.11%0.00%
botscout_1d4.68%0.00%
gpf_comics1.37%0.00%
blueliv_crimeserver_last_1d0.06%0.00%
packetmail0.80%0.00%
packetmail_ramnode1.28%0.00%
dataplane_vncrfb0.95%0.00%
taichung1.09%0.00%
vxvault45.16%0.00%
hphosts_fsa0.10%0.00%
nixspam0.15%0.00%
hphosts_ats0.18%0.00%
bruteforceblocker6.47%0.00%
et_compromised6.38%0.00%
tor_exits_30d1.58%0.00%
dataplane_dnsrdany31.75%0.00%
tor_exits_7d1.70%0.00%
iblocklist_onion_router1.70%0.00%
tor_exits1.70%0.00%
tor_exits_1d1.69%0.00%
blocklist_de_apache0.17%0.00%
cleantalk_1d0.83%0.00%
php_harvesters_30d3.83%0.00%
dshield_top_10001.60%0.00%
blueliv_crimeserver_last0.05%0.00%
cleantalk_updated_1d0.79%0.00%
php_commenters20.00%0.00%
php_commenters_1d20.00%0.00%
blocklist_de_bots8.26%0.00%
dronebl_auto_botnets0.20%0.00%
bitcoin_nodes0.13%0.00%
bitcoin_nodes_1d0.10%0.00%
bitcoin_nodes_30d0.05%0.00%
bitcoin_nodes_7d0.08%0.00%
blocklist_de_bruteforce0.41%0.00%
iblocklist_abuse_spyeye8.33%0.00%
php_dictionary14.00%0.00%
php_dictionary_1d14.00%0.00%
socks_proxy_30d0.13%0.00%
blueliv_crimeserver_online0.04%0.00%
cleantalk1.22%0.00%
coinbl_ips0.43%0.00%
esentire_dorttlokolrt_com0.03%0.00%
socks_proxy_7d0.18%0.00%
blocklist_de_sip7.58%0.00%
botvrij_dst2.58%0.00%
Showing 1 to 150 of 222 rows records per page

Comments on firehol_level1


The data on this site were last updated 18 minutes ago
on Sat Jun 15 2024 13:28:27 GMT+0200 (czas środkowoeuropejski letni)

 
2015-2017 Costa Tsaousis, for FireHOL a firewall for humans!.
The data on this page are automatically generated using FireHOL's update-ipsets.sh (for downloading the lists from their sources and generating the data for this site), which utilizes iprange (for comparing and manipulating IP lists). Both are part of FireHOL, which is provided under GPL v2, so you are free to get, use, adapt and re-distribute.
This site is provided as-is, without any warranty. IP Lists are a property of their maintainers.
This site is a single static page, with all its data uploaded as static JSON and CSV files every time an IP List is updated. For the final result, it utilizes IP data and web services provided by third parties. It uses IP lists and related data provided and maintained by their respective owners (mentioned together with each IP list), IP-to-country geolocation data provided by maxmind.com (GeoLite2), ipdeny.com, ip2location.com (Lite) and ipip.net, javascript chart libraries provided by highcharts.com, comments engine provided by disqus.com, social media sharing buttons provided by shareaholic.com, the HTML, CSS and JS framework bootstrap, the bootstrap-table component, icons provided by iconsdb.com and it uses several services provided by github.